Privacy concerns as two thirds of top Apple iPhone apps transmit UDIDs

Some two thirds of popular Apple iPhone applications transmit users UDIDs, leading to potential security concerns, an Assistant Director of Information Security and Networking at Bucknell University has warned.

by
Nick Spence| 05 Oct 10

Some two thirds of popular Apple iPhone applications transmit users UDIDs, leading to potential security concerns, a new study has warned.

Eric Smith, Assistant Director of Information Security and Networking at Bucknell University in Lewisburg, Pennsylvania, discovered 68 per cent of the 57 top applications in the Apple iTunes App Store sent out UDID information, back to a remote server, owned either by the application developer or an advertising partner.

UDIDs, or unique device identifiers, are a 40-digit sequence of letters and numbers, and can be used to identify users and transmit sensitive information, unencrypted and to third parties.

Smith warned, popular applications such as those from Amazon, Facebook or Twitter, inherently have the ability to tie a UDID to a real-world identity. "Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith said.

"For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."

Smith noted in conclusion: "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies."

"Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information."

Apple's mobile platform is not alone in being open to potential abuse. Researchers at Duke University, Pennsylvania State University and Intel Labs discovered only last week that many applications on Google's rival Android platform were sending information, such as users GPS location and phone numbers, without the knowledge or permission of the user.